网络地址转换NAT（Network Address Translation）

NAT概述

NAT是将IP数据报文头中的IP地址转换为另一个IP地址的过程，主要用于实现内部网络（私有IP地址）访问外部网络（公有IP地址）的功能。Basic NAT是实现一对一的IP地址转换，而NAPT可以实现多个私有IP地址映射到同一个公有IP地址上。

配置

静态

interface gigabitethernet ID
 nat static global 2.2.2.3 inside 192.168.0.2 netmask 255.255.255.255

动态

acl number 2000                                                                 
 rule 5 permit source 192.168.20.0 0.0.0.255
#
nat address-group 1 2.2.2.100 2.2.2.200
#
interface gigabitethernet ID
 nat outbound 2001 address-group 1 no-pat                                       

#                                  

NAPT

#
acl number 2000                                                                 
 rule 5 permit source 192.168.20.0 0.0.0.255
#
nat address-group 1 2.2.2.100 2.2.2.200
#
interface gigabitethernet ID
 nat outbound 2001 address-group 1

EASY IP

#
acl number 2000                                                                 
 rule 5 permit source 192.168.0.0 0.0.0.255
#
interface gigabitethernet ID
  nat outbound 2000         
#

两次NAT

#
 sysname Router
#                                                                            
acl number 3180                                                                 
 rule 5 permit ip source 1.1.1.0 0.0.0.255    
#                                                                               
 nat alg dns enable                                                             
 #                                                                              
 nat address-group 1 2.2.2.100 2.2.2.200                               
 #                                                                              
 nat overlap-address 0 1.1.1.100 3.3.3.100 pool-length 254                
#                                                                               
interface GigabitEthernet2/0/0                                                  
 ip address 1.1.1.1 255.255.255.0                                            
#                                                                               
interface GigabitEthernet1/0/0                                                  
 ip address 2.2.2.2 255.255.255.0                                            
 nat outbound 3180 address-group 1                                              
#                                                                               
ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
ip route-static 3.3.3.100 255.255.255.255 GigabitEthernet1/0/0 2.2.2.1
#                                                                         
return  

综合示例

要求：内网用户和外网用户可以通过公网地址11.11.11.6正常访问内网服务器。内网用户可以访问外网。

acl number 2000                                                                 
 rule 5 permit source 192.168.1.0 0.0.0.255                                     
#                                                                               
acl number 3000  
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 11.11.11.6 0          
#                                                                               
interface GigabitEthernet1/0/0                                                  
 ip address 192.168.1.1 255.255.255.0                                           
 nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255  
 nat outbound 3000  
#                                                                               
interface GigabitEthernet2/0/0                                                  
 ip address 11.11.11.1 255.0.0.0                                                  
 nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255  
 nat outbound 2000  
#                                                                               
ip route-static 0.0.0.0 0.0.0.0 11.11.11.2                                 
#                                               
return